Crypto Map Phase 2 One Way Only.

Hi Everyone,

Got possibly a classic crypto map problem here, running through the R&S V5 Workbook using VIRL, doing the lab on the Crypto maps, looks like the ipsec sa comes up, but I only encaps/decaps one way (when sending ping from R10 to 9):

R8#sh crypto ipsec sa

interface: GigabitEthernet0/1.58

    Crypto map tag: R7_TO_R8, local addr 150.1.8.8

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (150.1.10.10/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (150.1.9.9/255.255.255.255/0/0)

   current_peer 150.1.7.7 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

I'm trying to ping back from the other end, R9, R7 doesn't even start Phase 1, and looking at the ACL it looks like the traffic isn't hitting it, even though it's applied via the crypto map, and the crypto map is applied to the outbound interface:








 R7#sh crypto map

        Interfaces using crypto map NiStTeSt1:


Crypto Map: "R7_TO_R8" idb: Loopback0 local address: 150.1.7.7


Crypto Map IPv4 "R7_TO_R8" 10 ipsec-isakmp

        Peer = 150.1.8.8

        Extended IP access list R7_TO_R8_ACL

            access-list R7_TO_R8_ACL permit ip host 150.1.9.9 host 150.1.10.10

            access-list R7_TO_R8_ACL permit ip host 150.1.9.9 155.1.10.0 0.0.0.255

            access-list R7_TO_R8_ACL permit ip 155.1.9.0 0.0.0.255 host 150.1.10.10

            access-list R7_TO_R8_ACL permit ip 155.1.9.0 0.0.0.255 155.1.10.0 0.0.0.255

        Current peer: 150.1.8.8

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Mixed-mode : Disabled

        Transform sets={ 

                ESP_AES192_SHA384:  { esp-192-aes esp-sha384-hmac  } , 

        }

        Interfaces using crypto map R7_TO_R8:

                GigabitEthernet0/1.37



R7#sh acc

R7#sh access-li

R7#sh access-lists 

Extended IP access list R7_TO_R8_ACL

    10 permit ip host 150.1.9.9 host 150.1.10.10

    20 permit ip host 150.1.9.9 155.1.10.0 0.0.0.255

    30 permit ip 155.1.9.0 0.0.0.255 host 150.1.10.10

    40 permit ip 155.1.9.0 0.0.0.255 155.1.10.0 0.0.0.255









I've confirmed the routing between the VPN endpoints (R7 & 8), tried deleteing the crypto maps off the interface and putting them back on, finally did a reload. I'm always thinking my mistakes are bug in VIRL, but this looks really starnge. I've spent around 3 nights looking at it, think I need a second pair of eyes! 






Here is the crypto map & ACL from the other side for reference:









R8#sh crypto map 

        Interfaces using crypto map NiStTeSt1:


Crypto Map: "R7_TO_R8" idb: Loopback0 local address: 150.1.8.8


Crypto Map IPv4 "R7_TO_R8" 10 ipsec-isakmp

        Peer = 150.1.7.7

        Extended IP access list R7_TO_R8_ACL

            access-list R7_TO_R8_ACL permit ip host 150.1.10.10 host 150.1.9.9

            access-list R7_TO_R8_ACL permit ip host 150.1.10.10 155.1.9.0 0.0.0.255

            access-list R7_TO_R8_ACL permit ip 155.1.10.0 0.0.0.255 host 150.1.9.9

            access-list R7_TO_R8_ACL permit ip 155.1.10.0 0.0.0.255 155.1.9.0 0.0.0.255

        Current peer: 150.1.7.7

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Mixed-mode : Disabled

        Transform sets={ 

                ESP_AES192_SHA384:  { esp-192-aes esp-sha384-hmac  } , 

        }

        Interfaces using crypto map R7_TO_R8:

                GigabitEthernet0/1.58



R8# sh acc

R8# sh access-li

R8# sh access-lists 

Extended IP access list R7_TO_R8_ACL

    10 permit ip host 150.1.10.10 host 150.1.9.9 (83 matches)

    20 permit ip host 150.1.10.10 155.1.9.0 0.0.0.255

    30 permit ip 155.1.10.0 0.0.0.255 host 150.1.9.9

    40 permit ip 155.1.10.0 0.0.0.255 155.1.9.0 0.0.0.255

R8#

Comments

  • any chance u could give us some crypto isakmp debugs from both sides - let's see what ur phase 1 protocols are doing?

     

  • Yeah sure, isakmp from R7 when responding to R8 phase 1 is below, one thig to note,if i try to establish phase 1 from R7 to R8 isakmp doesn't even start:

    R7:

     

    ISAKMP (0): received packet from 150.1.8.8 dport 500 sport 500 Global (N) NEW SA

    ISAKMP: Created a peer struct for 150.1.8.8, peer port 500

    ISAKMP: New peer created peer = 0xE8D6D58 peer_handle = 0x80000003

    ISAKMP: Locking peer struct 0xE8D6D58, refcount 1 for crypto_isakmp_process_block

    ISAKMP: local port 500, remote port 500

    ISAKMP:(0):insert sa successfully sa = AB80078

    ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

    ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 

     

    ISAKMP:(0): processing SA payload. message ID = 0

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

    ISAKMP (0): vendor ID is NAT-T RFC 3947

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

    ISAKMP (0): vendor ID is NAT-T v7

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

    ISAKMP:(0): vendor ID is NAT-T v3

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

    ISAKMP:(0): vendor ID is NAT-T v2

    ISAKMP:(0):found peer pre-shared key matching 150.1.8.8

    ISAKMP:(0): local preshared key found

    ISAKMP : Scanning profiles for xauth ...

    ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

    ISAKMP:      encryption AES-CBC

    ISAKMP:      keylength of 256

    ISAKMP:      hash SHA512

    ISAKMP:      default group 24

    ISAKMP:      auth pre-share

    ISAKMP:      life type in seconds

    ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 

    ISAKMP:(0):atts are acceptable. Next payload is 0

    ISAKMP:(0):Acceptable atts:actual life: 86400

    ISAKMP:(0):Acceptable atts:life: 0

    ISAKMP:(0):Fill atts in sa vpi_length:4

    ISAKMP:(0):Fill atts in sa life_in_seconds:86400

    ISAKMP:(0):Returning Actual lifetime: 86400

    ISAKMP:(0)::Started lifetime timer: 86400.

     

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

    ISAKMP (0): vendor ID is NAT-T RFC 3947

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

    ISAKMP (0): vendor ID is NAT-T v7

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

    ISAKMP:(0): vendor ID is NAT-T v3

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

    ISAKMP:(0): vendor ID is NAT-T v2

    ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

    ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

     

    ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

    ISAKMP:(0): sending packet to 150.1.8.8 my_port 500 peer_port 500 (R) MM_SA_SETUP

    ISAKMP:(0):Sending an IKE IPv4 Packet.

    ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

    ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2 

     

    ISAKMP (0): received packet from 150.1.8.8 dport 500 sport 500 Global (R) MM_SA_SETUP

    ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

    ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3 

     

    ISAKMP:(0): processing KE payload. message ID = 0

    ISAKMP:(0): processing NONCE payload. message ID = 0

    ISAKMP:(0):found peer pre-shared key matching 150.1.8.8

    ISAKMP:(1002): processing vendor id payload

    ISAKMP:(1002): vendor ID is DPD

    ISAKMP:(1002): processing vendor id payload

    ISAKMP:(1002): speaking to another IOS box!

    ISAKMP:(1002): processing vendor id payload

    ISAKMP:(1002): vendor ID seems Unity/DPD but major 226 mismatch

    ISAKMP:(1002): vendor ID is XAUTH

    ISAKMP:received payload type 20

    ISAKMP (1002): His hash no match - this node outside NAT

    ISAKMP:received payload type 20

    ISAKMP (1002): No NAT Found for self or peer

    ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

    ISAKMP:(1002):Old State = IKE_R_MM3  New State = IKE_R_MM3 

     

    ISAKMP:(1002): sending packet to 150.1.8.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH

    ISAKMP:(1002):Sending an IKE IPv4 Packet.

    ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

    ISAKMP:(1002):Old State = IKE_R_MM3  New State = IKE_R_MM4 

     

    ISAKMP (1002): received packet from 150.1.8.8 dport 500 sport 500 Global (R) MM_KEY_EXCH

    ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

    ISAKMP:(1002):Old State = IKE_R_MM4  New State = IKE_R_MM5 

     

    ISAKMP:(1002): processing ID payload. message ID = 0

    ISAKMP (1002): ID payload 

            next-payload : 8

            type         : 1 

            address      : 150.1.8.8 

            protocol     : 17 

            port         : 500 

            length       : 12

    ISAKMP:(0):: peer matches *none* of the profiles

    ISAKMP:(1002): processing HASH payload. message ID = 0

    ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1

            spi 0, message ID = 0, sa = 0xAB80078

    ISAKMP:(1002):SA authentication status:

            authenticated

    ISAKMP:(1002):SA has been authenticated with 150.1.8.8

    ISAKMP:(1002):SA authentication status:

            authenticated

    ISAKMP:(1002): Process initial contact,

    bring down existing phase 1 and 2 SA's with local 150.1.7.7 remote 150.1.8.8 remote port 500

    ISAKMP: Trying to insert a peer 150.1.7.7/150.1.8.8/500/,  and inserted successfully E8D6D58.

    ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

    ISAKMP:(1002):Old State = IKE_R_MM5  New State = IKE_R_MM5 

     

    ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

    ISAKMP (1002): ID payload 

            next-payload : 8

            type         : 1 

            address      : 150.1.7.7 

            protocol     : 17 

            port         : 500 

            length       : 12

    ISAKMP:(1002):Total payload length: 12

    ISAKMP:(1002): sending packet to 150.1.8.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH

    ISAKMP:(1002):Sending an IKE IPv4 Packet.

    ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

    ISAKMP:(1002):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 

     

    ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

    ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

     

    ISAKMP (1002): received packet from 150.1.8.8 dport 500 sport 500 Global (R) QM_IDLE      

    ISAKMP: set new node 912673883 to QM_IDLE      

    ISAKMP:(1002): processing HASH payload. message ID = 912673883

    ISAKMP:(1002): processing SA payload. message ID = 912673883

    ISAKMP:(1002):Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_AES 

    ISAKMP:   attributes in transform:

    ISAKMP:      encaps is 1 (Tunnel)

    ISAKMP:      SA life type in seconds

    ISAKMP:      SA life duration (basic) of 3600

    ISAKMP:      SA life type in kilobytes

    ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 

    ISAKMP:      authenticator is HMAC-SHA384

    ISAKMP:      key length is 192

    ISAKMP:(1002):atts are acceptable.

    ISAKMP:(1002): processing NONCE payload. message ID = 912673883

    ISAKMP:(1002): processing ID payload. message ID = 912673883

    ISAKMP:(1002): processing ID payload. message ID = 912673883

    ISAKMP:(1002):QM Responder gets spi

    ISAKMP:(1002):Node 912673883, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

    ISAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

    ISAKMP:(1002):Node 912673883, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

    ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT

     ISAKMP: Failed to find peer index node to update peer_info_list

    ISAKMP:(1002):Received IPSec Install callback... proceeding with the negotiation

    ISAKMP:(1002):Successfully installed IPSEC SA (SPI:0xC876977A) on GigabitEthernet0/1.37

    ISAKMP:(1002): sending packet to 150.1.8.8 my_port 500 peer_port 500 (R) QM_IDLE      

    ISAKMP:(1002):Sending an IKE IPv4 Packet.

    ISAKMP:(1002):Node 912673883, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

    ISAKMP:(1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2

    ISAKMP (1002): received packet from 150.1.8.8 dport 500 sport 500 Global (R) QM_IDLE      

    ISAKMP:(1002):deleting node 912673883 error FALSE reason "QM done (await)"

    ISAKMP:(1002):Node 912673883, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

    ISAKMP:(1002):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

    R7# 

     

     

     

     

    R8 (initiator) :

     

    ISAKMP:(0): SA request profile is (NULL)

    ISAKMP: Created a peer struct for 150.1.7.7, peer port 500

    ISAKMP: New peer created peer = 0xE95DCA8 peer_handle = 0x80000009

    ISAKMP: Locking peer struct 0xE95DCA8, refcount 1 for isakmp_initiator

    ISAKMP: local port 500, remote port 500

    ISAKMP: set new node 0 to QM_IDLE      

    ISAKMP:(0):insert sa successfully sa = B7939F8

    ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

    ISAKMP:(0):found peer pre-shared key matching 150.1.7.7

    ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

    ISAKMP:(0): constructed NAT-T vendor-07 ID

    ISAKMP:(0): constructed NAT-T vendor-03 ID

    ISAKMP:(0): constructed NAT-T vendor-02 ID

    ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

    ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

     

    ISAKMP:(0): beginning Main Mode exchange

    ISAKMP:(0): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) MM_NO_STATE

    ISAKMP:(0):Sending an IKE IPv4 Packet.

    ISAKMP (0): received packet from 150.1.7.7 dport 500 sport 500 Global (I) MM_NO_STATE

    ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

    ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

     

    ISAKMP:(0): processing SA payload. message ID = 0

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

    ISAKMP (0): vendor ID is NAT-T RFC 3947

    ISAKMP:(0):found peer pre-shared key matching 150.1.7.7

    ISAKMP:(0): local preshared key found

    ISAKMP : Scanning profiles for xauth ...

    ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

    ISAKMP:      encryption AES-CBC

    ISAKMP:      keylength of 256

    ISAKMP:      hash SHA512

    ISAKMP:      default group 24

    ISAKMP:      auth pre-share

    ISAKMP:      life type in seconds

    ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 

    ISAKMP:(0):atts are acceptable. Next payload is 0

    ISAKMP:(0):Acceptable atts:actual life: 0

    ISAKMP:(0):Acceptable atts:life: 0

    ISAKMP:(0):Fill atts in sa vpi_length:4

    ISAKMP:(0):Fill atts in sa life_in_seconds:86400

    ISAKMP:(0):Returning Actual lifetime: 86400

    ISAKMP:(0)::Started lifetime timer: 86400.

     

    ISAKMP:(0): processing vendor id payload

    ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

    ISAKMP (0): vendor ID is NAT-T RFC 3947

    ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

    ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

     

    ISAKMP:(0): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) MM_SA_SETUP

    ISAKMP:(0):Sending an IKE IPv4 Packet.

    ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

    ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

     

    ISAKMP (0): received packet from 150.1.7.7 dport 500 sport 500 Global (I) MM_SA_SETUP

    ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

    ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

     

    ISAKMP:(0): processing KE payload. message ID = 0

    ISAKMP:(0): processing NONCE payload. message ID = 0

    ISAKMP:(0):found peer pre-shared key matching 150.1.7.7

    ISAKMP:(1004): processing vendor id payload

    ISAKMP:(1004): vendor ID is Unity

    ISAKMP:(1004): processing vendor id payload

    ISAKMP:(1004): vendor ID is DPD

    ISAKMP:(1004): processing vendor id payload

    ISAKMP:(1004): speaking to another IOS box!

    ISAKMP:received payload type 20

    ISAKMP (1004): His hash no match - this node outside NAT

    ISAKMP:received payload type 20

    ISAKMP (1004): No NAT Found for self or peer

    ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

    ISAKMP:(1004):Old State = IKE_I_MM4  New State = IKE_I_MM4 

     

    ISAKMP:(1004):Send initial contact

    ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

    ISAKMP (1004): ID payload 

            next-payload : 8

            type         : 1 

            address      : 150.1.8.8 

            protocol     : 17 

            port         : 500 

            length       : 12

    ISAKMP:(1004):Total payload length: 12

    ISAKMP:(1004): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) MM_KEY_EXCH

    ISAKMP:(1004):Sending an IKE IPv4 Packet.

    ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

    ISAKMP:(1004):Old State = IKE_I_MM4  New State = IKE_I_MM5 

     

    ISAKMP (1004): received packet from 150.1.7.7 dport 500 sport 500 Global (I) MM_KEY_EXCH

    ISAKMP:(1004): processing ID payload. message ID = 0

    ISAKMP (1004): ID payload 

            next-payload : 8

            type         : 1 

            address      : 150.1.7.7 

            protocol     : 17 

            port         : 500 

            length       : 12

    ISAKMP:(0):: peer matches *none* of the profiles

    ISAKMP:(1004): processing HASH payload. message ID = 0

    ISAKMP:(1004):SA authentication status:

            authenticated

    ISAKMP:(1004):SA has been authenticated with 150.1.7.7

    ISAKMP: Trying to insert a peer 150.1.8.8/150.1.7.7/500/,  and inserted successfully E95DCA8.

    ISAKMP:(1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

    ISAKMP:(1004):Old State = IKE_I_MM5  New State = IKE_I_MM6 

     

    ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

    ISAKMP:(1004):Old State = IKE_I_MM6  New State = IKE_I_MM6 

     

    ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

    ISAKMP:(1004):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

     

    ISAKMP:(1004):beginning Quick Mode exchange, M-ID of 912673883

    ISAKMP:(1004):QM Initiator gets spi

    ISAKMP:(1004): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) QM_IDLE      

    ISAKMP:(1004):Sending an IKE IPv4 Packet.

    ISAKMP:(1004):Node 912673883, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

    ISAKMP:(1004):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

    ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

    ISAKMP:(1004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

     

    ISAKMP (1004): received packet from 150.1.7.7 dport 500 sport 500 Global (I) QM_IDLE      

    ISAKMP:(1004): processing HASH payload. message ID = 912673883

    ISAKMP:(1004): processing SA payload. message ID = 912673883

    ISAKMP:(1004):Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_AES 

    ISAKMP:   attributes in transform:

    ISAKMP:      encaps is 1 (Tunnel)

    ISAKMP:      SA life type in seconds

    ISAKMP:      SA life duration (basic) of 3600

    ISAKMP:      SA life type in kilobytes

    ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 

    ISAKMP:      authenticator is HMAC-SHA384

    ISAKMP:      key length is 192

    ISAKMP:(1004):atts are acceptable.

    IPSEC(validate_proposal_request): proposal part #1

    IPSEC(validate_proposal_request): proposal part #1,

      (key eng. msg.) INBOUND local= 150.1.8.8:0, remote= 150.1.7.7:0,

        local_proxy= 150.1.10.10/255.255.255.255/256/0,

        remote_proxy= 150.1.9.9/255.255.255.255/256/0,

        protocol= ESP, transform= esp-aes 192 esp-sha384-hmac  (Tunnel), 

        lifedur= 0s and 0kb, 

        spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0

    Crypto mapdb : proxy_match

            src addr     : 150.1.10.10

            dst addr     : 150.1.9.9

            protocol     : 0

            src port     : 0

            dst port     : 0

    (ipsec_process_proposal)Map Accepted: R7_TO_R8, 10

    ISAKMP:(1004): processing NONCE payload. message ID = 912673883

    ISAKMP:(1004): processing ID payload. message ID = 912673883

    ISAKMP:(1004): processing ID payload. message ID = 912673883

    ISAKMP:(1004):Node 912673883, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

    ISAKMP:(1004):Old State = IKE_QM_I_QM1  New State = IKE_QM_IPSEC_INSTALL_AWAIT

    IPSEC(key_engine): got a queue event with 1 KMI message(s)

    Crypto mapdb : proxy_match

            src addr     : 150.1.10.10

            dst addr     : 150.1.9.9

            protocol     : 256

            src port     : 0

            dst port     : 0

    IPSEC(crypto_ipsec_create_ipsec_sas): Map found R7_TO_R8, 10

    IPSEC(create_sa): sa created,

      (sa) sa_dest= 150.1.8.8, sa_proto= 50, 

        sa_spi= 0xE23824B8(3795330232), 

        sa_trans= esp-aes 192 esp-sha384-hmac , sa_conn_id= 9

        sa_lifetime(k/sec)= (4608000/3600),

      (identity) local= 150.1.8.8:0, remote= 150.1.7.7:0,

        local_proxy= 150.1.10.10/255.255.255.255/256/0,

        remote_proxy= 150.1.9.9/255.255.255.255/256/0

    IPSEC(create_sa): sa created,

      (sa) sa_dest= 150.1.7.7, sa_proto= 50, 

        sa_spi= 0xC876977A(3363215226), 

        sa_trans= esp-aes 192 esp-sha384-hmac , sa_conn_id= 10

        sa_lifetime(k/sec)= (4608000/3600),

      (identity) local= 150.1.8.8:0, remote= 150.1.7.7:0,

        local_proxy= 150.1.10.10/255.255.255.255/256/0,

        remote_proxy= 150.1.9.9/255.255.255.255/256/0

    IPSEC: Expand action denied, notify RP

     ISAKMP: Failed to find peer index node to update peer_info_list

    ISAKMP:(1004):Received IPSec Install callback... proceeding with the negotiation

    ISAKMP:(1004):Successfully installed IPSEC SA (SPI:0xE23824B8) on GigabitEthernet0/1.58

    ISAKMP:(1004): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) QM_IDLE      

    ISAKMP:(1004):Sending an IKE IPv4 Packet.

    ISAKMP:(1004):deleting node 912673883 error FALSE reason "No Error"

    ISAKMP:(1004):Node 912673883, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

    ISAKMP:(1004):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_PHASE2_COMPLETE

    ISAKMP:(1004):purging node 912673883

     

  • hmm...I JUST got thru some of this stuff - but I THINK you're negotiating a tunnel each way with IPSEC - and maybe ISAKMP too - and it sure seems like R7 doesn't want to set up with R8 even if R8 sets up with R7 - if it was IOU I'd say dump that stuff and get CSR1000v or GNS3 regular routers -

    could be a VIRL config issue. - I'd really like to see what the R7 to R8 debug when R7 tries to initiate since it seems to be R7 to R8 setup that's killing u, not R8 to R7

    RB

  • do me a favor - post ur R7 and R8 configs too- I know this is the crypto map lab, right?  The first one?   Let me put it up in ye ol' CSR1000v and see what happens

    RB

  • Ended up giving up and moving onto the next labs - VTI and GRE is much easier than the crypto maps! 

     

    I've got the following config from my notepad, I'm pretty sure this is what I ended up with, this would be pasted onto the plain IPSEC VPN config:

     

     

    R7

     

    conf t

     

    ip route 0.0.0.0 0.0.0.0 155.1.67.6

    ip route 0.0.0.0 0.0.0.0 155.1.37.3

     

    router ospf 1

    default-information originate

    int g0/1.79

    ip ospf 1 area 0

    exit

     

    ip access-list extended R7_TO_R8_ACL

    permit ip host 150.1.9.9 host 150.1.10.10 

    permit ip host 150.1.9.9 155.1.10.0 0.0.0.255

    permit ip 155.1.9.0 0.0.0.255 host 150.1.10.10 

    permit ip 155.1.9.0 0.0.0.255 155.1.10.0 0.0.0.255

     

    crypto ipsec transform-set ESP_AES192_SHA384 esp-aes 192 esp-sha384-hmac 

    mode tunnel

    exit

     

    crypto isakmp key CISCO address 150.1.8.8

     

    crypto isakmp policy 10

    authentication pre-share

    encr aes 256

    hash sha512

    group 24

    exit

     

    crypto map R7_TO_R8 10 ipsec-isakmp

    match address R7_TO_R8_ACL

    set peer 150.1.8.8

    set transform-set ESP_AES192_SHA384

    exit

     

    crypto map R7_TO_R8 local-address l0

     

    int g0/1.37

    crypto map R7_TO_R8

    int g0/1.67

    crypto map R7_TO_R8

    end

     

    R8

     

    conf t

     

    ip route 0.0.0.0 0.0.0.0 155.1.58.5

     

    router ospf 1

    default-information originate

    exit

     

    ip access-list extended R7_TO_R8_ACL

    permit ip host 150.1.10.10 host 150.1.9.9

    permit ip host 150.1.10.10 155.1.9.0 0.0.0.255

    permit ip 155.1.10.0 0.0.0.255 host 150.1.9.9

    permit ip 155.1.10.0 0.0.0.255 155.1.9.0 0.0.0.255

     

     

    crypto ipsec transform-set ESP_AES192_SHA384 esp-aes 192 esp-sha384-hmac 

    mode tunnel

    exit

     

     

    crypto isakmp key CISCO address 150.1.7.7

     

    crypto isakmp policy 10

    authentication pre-share

    encr aes 256

    hash sha512

    group 24

    exit

     

    crypto map R7_TO_R8 10 ipsec-isakmp

    match address R7_TO_R8_ACL

    set peer 150.1.7.7

    set transform-set ESP_AES192_SHA384

    exit

     

    crypto map R7_TO_R8 local-address l0

     

    int g0/1.58

    crypto map R7_TO_R8

    end

     

     

     

    R9

     

    conf t

     

    router ospf 1

    exit

     

    int g0/1.79

    ip ospf 1 area 0 

    int g0/1.9

    ip ospf 1 area 0

    int l0

    ip ospf 1 area 0

    end

     

     

     

    R10

     

    conf t

     

    router ospf 1

     

    int g0/1.108

    ip ospf 1 area 0 

    int g0/1.10

    ip ospf 1 area 0

    int l0

    ip ospf 1 area 0

    exit

     

    With the debugs going from R7 to R8 (traffic orginating on router 9) the isakmp process wouldn't even start, I'd confirmed routing, just orginating the default route out to R9, confirm that was working via sh ip cef etc. 

     

    When using the VTI and GRE over IPsec everything works fine on VIRL, I would a bug or order of operations issues but tried reloading the router, stripping off the crypto map and reapplying to the interface etc., and the one way thing says to me it's my config. 

     

    Thanks! 

  • thought I saw the problem in ur config but pasted it into my lab just to be safe

    You were missing the ip ospf 1 area 0 on the R8 link to R10 (g0/1.108 - or gi 1.108 in my lab) - so you didn't have ospf connectivity between R8 and R10 - once I added that command I was home free

    R10#ping 150.1.9.9 so l0      
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 150.1.9.9, timeout is 2 seconds:
    Packet sent with a source address of 150.1.10.10
    .....
    Success rate is 0 percent (0/5)
    R10#
    %OSPF-5-ADJCHG: Process 1, Nbr 150.1.8.8 on GigabitEthernet1.108 from LOADING to FULL, Loading Done
    R10#ping 150.1.9.9 so l0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 150.1.9.9, timeout is 2 seconds:
    Packet sent with a source address of 150.1.10.10
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/31 ms

  • and I saw the same thing u did - isakmp tunnels on R7 but not R8  because the traffic generated on R10 never had a route out of R10 to trigger it on R8

     

  • If phase1 and phase2 come up, and you have no filters, it means you have a routing problem on the router which is not encrypting traffiic, as routing does not put packets inside the IPsec tunnel.

  • Nices one - thanks guys!

    I did look at the routing as per Cristians commencts, but i  suspect I was fixated on the 7 to 9 traffic when the issues was around the 10 to 8 routing. I'll have to look at both sides next time if I get this again. 

Sign In or Register to comment.